The NSX-T Tier-0 Gateway must be configured to restrict traffic destined to itself.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-251749 | SRG-NET-000205-RTR-000001 | T0RT-3X-000038 | SV-251749r810131_rule | 2022-09-01 | 1 |
| Description |
|---|
| The route processor handles traffic destined to the router, the key component used to build forwarding paths, and is also instrumental with all network management functions. Hence, any disruption or DoS attack to the route processor can result in mission critical network outages. |
| ℹ️ Check |
|---|
| If the Tier-0 Gateway is deployed in an Active/Active HA mode, this is Not Applicable. From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and choose each Tier-0 Gateway in the drop-down. Review each Tier-0 Gateway Firewalls rules to verify rules exist to restrict traffic to itself. If a rule or rules do not exist to restrict traffic to external interface IPs, this is a finding. |
| ✔️ Fix |
|---|
| To configure firewall rule(s) to restrict traffic destined to interfaces on a Tier-0 Gateway do the following: From the NSX-T Manager web interface, go to Security >> Gateway Firewall >> Gateway Specific Rules and select the target Tier-0 Gateway from the drop-down. Click "Add Rule" (Add a policy first if needed) and configure the destinations to include all IPs for external interfaces. Update the action to "Drop" or "Reject". Enable logging, then under the "Applied To" field, select the target Tier-0 Gateways and click "Publish" to enforce the new rule. Other rules may be constructed to allow traffic to external interface IPs if required above this default deny rule. |